Foiling Cyber-Spies on Business Trips

The admonitions to business travelers headed to other countries should be familiar by now: Keep your laptop with you at all times. Stay off public Wi-Fi networks. Don’t send unencrypted files over the internet.

But not all travelers are heeding them, and many are unaware of the foreign hackers and state-sponsored spies who are taking advantage of their lax security practices.

“There’s a difficult intersection between convenience and security,” said Samantha Ravich, who studies cyber-enabled economic warfare at the Foundation for Defense of Democracies, a policy institute focusing on national security. It takes more time to work abroad in the most secure way, and she said she will “often see executives hanging their head somewhat sheepishly when I ask who in the room follows all the security protocols.”

The theft of technical product specifications, investment plans, research on mergers and acquisitions, marketing plans and other information can have consequences beyond loss of revenue and market position, Ms. Ravich told the Senate Foreign Relations Committee earlier this year. She described potential large-scale effects of state-sponsored economic warfare, which, she said, could disrupt the delivery of items crucial for manufacturing, malware incidents that could disrupt travel and cyberattacks that could force companies to shut down their websites.

The problem of intellectual property theft is not new, but it is now much more widespread. “Placing listening devices in conference rooms, hotels and restaurants is traditional espionage 101,” Ms. Ravich said. But with tools like tiny inexpensive cameras and microphones or compromised Wi-Fi networks, corporate or state-sponsored industrial espionage “can be done cheaply and at scale,” she said.

Multiple microphones in a conference center, for instance, can be recording constantly, and those recordings can be fed into natural language processing software trained to flag certain words and report those conversations. “It’s not just a guy with headphones listening in the next room anymore,” Ms. Ravich said.

Communicating over the internet while overseas can be especially fraught, said Nicole Miller, an independent consultant in San Francisco who helps companies communicate with employees and customers on cybersecurity issues. “Assume any data, any information you transmit can be taken by a hacker, nation-state or another business,” she said. “These are not pedestrian tools they are using. They are extremely sophisticated.”

Physical security of phones, tablets and laptops is as important as cyber protection, Ms. Miller said. “Don’t leave your laptop or papers in your hotel room when you go out,” she said. A hotel room safe should not even be considered secure.

Ms. Miller said she advised travelers to create complex passwords for their devices and all of their online accounts, to use two-factor authentications whenever possible and to avoid plugging other people’s USB drives or other external hardware into their computers.

Laptops should also be wiped clean of any data and software at the end of the trip, she said. “Your device could have been altered, your data could have been altered,” without your realizing it, Ms. Miller said.

Sometimes circumstances beyond travelers’ control expose their information, as when customs officers in another country seize a person’s device and copy its contents, she said. “That’s why any information not absolutely required for a trip should remain at the office,” Ms. Miller said.

“And don’t tell your colleague about your great meeting while you are in the back of a taxi or in a restaurant,” she said, because you never know who is listening. Some business people at a foreign conference go so far as to wear buttons telling people not to speak out loud about their intellectual property.

Stanford University and Microsoft are among educational institutions and companies that supply comprehensive precaution and instruction lists to their employees who travel abroad.

Maureen Sharma travels regularly to Asia as part of her work for Mullally International, a small product development company in Seattle. Some unsettling incidents, she said, have made her more cautious when she travels abroad. “I often get more spam and strange emails that look like they are from me with attachments,” when returning from her business trips. Once, Ms. Sharma said, she received an email that looked like it was from a Chinese factory she was working with, asking her to send the next payment to a new bank account. “Luckily, I called to confirm because the factory had not sent that email,” she said.

Ms. Sharma said she makes sure never to bring sensitive information on her laptop and changes all her passwords every time she returns home from any trip abroad.

The same risks may apply to business people staying in hotels in the United States. When the Chinese company Anbang purchased the Waldorf Astoria in New York, President Barack Obama stopped having meetings there over cybersecurity concerns. Business, military and government information is being targeted for industrial espionage, said Evan Anderson, chief executive of Invnt/IP, a group dedicated to combating nation-sponsored intellectual property theft, and who writes about intellectual property security for the Strategic News Service website. “So shouldn’t we take the same precautions at home as we would abroad?”

Mr. Anderson said he created a map of Chinese-owned hotels around the world in 2016 and was surprised by how many they were, including some in Silicon Valley where technology companies hold meetings. “Most people don’t realize that an individual Four Seasons hotel, Ritz-Carlton, or many other brands, can be owned by a Chinese company with close ties to the Chinese government,” he said.

Of course, listening, spying and hacking can happen no matter who owns a hotel or where a meeting is. “The internet has no borders,” Ms. Miller said. “You could be hacked in another country or the U.S., and you have no idea where that person is.”

Ms. Ravich agreed. “There is a glaring disconnect between how critical this is, and how seriously people take it,” she said. One reason is the theft of information, data or plans may go unnoticed, unlike the theft of a physical laptop. It is also hard to connect a cyberattack on a company to a specific trip taken by a specific employee.

Companies need to place better controls on the hardware they issue, like laptops and cellphones, Ms. Ravich said, so the devices automatically send only encrypted data, require strong passwords and use cellular connections rather than the local Wi-Fi. To really improve or “harden” cybersecurity for business travelers, she said, companies need to take human behavior out of the equation.